xbrl kansas elsas

Enterprise-level Process Documentation incorporating Automatic Audit Analytics

On Positioning
XBRL Assurance Business Rules
in a Computational Infrastructure
for Modern Auditing

Philip Elsas

ComputationalAuditing.com

Lawrence, Kansas April 24-25, 2009

2009 Annual University of Kansas
International Conference on XBRL

A Practical View of XBRL in the 21st Century

Introduction

Since 2003: Company - Canada, Netherlands

1988-2003: Deloitte.
with intermezzo at Bakkenist Management Consultants, sold to Deloitte.

1990- 1996: PhD Computational Auditing

- Principal, Chief Architect & inventor of Smart Audit Support
- Smart Audit Support is since 1994 key in Deloittes worldwide
audit practice. Currently integrated in The Deloitte Audit
- System blueprint in Chapter 5 of

- PhD in Mathematics & Computing Science on Financial Auditing
- Parallel to Smart Audit project, in part-time at Vrije Universiteit
- Directly after appearance awarded with the biennial
Alfred Coini Prize for the best publication in Auditing

Offering software and consultancy services to
audit practices and audit software firms

1

The Dutch Tax Office used Computational Auditing in 2001-2003 as Frame of Reference to compare Big 4 firms planning and decision-support models and systems to investigate how to improve audit productivity (57 page report); considers Smart Audit Support leader of the pack.

Smart Audit Support - Build & Apply - Industry Templates - for the Audit Planning Process. International & National - Build is done by auditors only - no ITers involved.Dutch Tax Office, Center for Process & Product Development, report Optimizing Audit Decisions in fiscal audit; an approach relying on audit documentation; relevant for audit oversight approaches.Personally at Deloitte - first half: Internal Audit Staff - second half: External Management ConsultantIntermezzo late nineties at Bakkenist Management Consultants as consultant & shareholder - sold to Deloitte

Agenda

On Positioning XBRL Assurance Business Rules
in a Computational Infrastructure for Modern Auditing

How XBRL Works, by Charles Hoffman

Charles Smart XBRL App & Deloittes Smart Audit Support

Killer App for XBRL Assurance:
Early Warning System for Systemic Risk

2

XBRL Assurance, Business Rules and XBRL Formula

Looking into Builder-Based XBRL Assurance Apps

Killer App (Wikipedia): any computer program that is so necessary or desirable that it proves the core value of some larger technology, such as computer hardware like a gaming console, operating system or other software.
A killer app can substantially increase sales of the platform that it runs on.

How XBRL Works

by Charles Hoffman, CPA

Source at http://www.youtube.com/watch?v=nATJBPOiTxM

3

Unstructured Text

Inventory

Inventory consists of produce purchased for resale and supplies and are stated at the lower of cost or market using the first-in, first-out (FIFO) method. Inventory as of December 31, 2006 and 2005 amounted to $45,594 and $34,456, respectively.

Source: Charles Hoffman

4

Structured Text

Inventory



5

Structured for Presentation

Inventory

Inventory consists of produce purchased for resale and supplies and are stated at the lower of cost or market using the first-in, first-out (FIFO) method. Inventory as of December 31, 2006 and 2005 amounted to $45,594 and
$34,456 , respectively.

Inventory



6

Structured for Meaning

produce purchased for resale and supplies
lower of cost or market
FIFO
$45,594
$34,456

Inventory



7

Structured for Meaning, Global Standard

produce purchased for resale and supplies
lower of cost or market
FIFO
45594
$34,456

Inventory



8

9

This isnt your Daddys Financial Reporting Application!

Current approach, type this into Word:

Inventory


Smart XBRL Application:

Or:

Put a grid (neutral format table) here

Inventory


Agenda





10



XBRL Assurance

11

IFAC and other accounting organizations are discussing the topic to decide on a common approach and XBRL auditing standards. The auditor may give assurance to an XBRL financial statement, an XBRL business report and XBRL real-time reporting (often referred to as continuous reporting). The short term focus is on XBRL financial statements and regulatory reports, while the future focus is expected to be more on real-time reporting.

The XBRL standard has the ability to define business rules. These business rules can be found in different places (i.e. datatypes or linkbases) in the XBRL taxonomy. Application of these business rules will contribute to the reliability of the XBRL report. The business rules can be used by the reporting company (preparer), the taxonomy author (i.e. regulator) or the auditor.

Source: Marc van Hilvoorde, 2008, http://en.wikipedia.org/wiki/XBRL_assurance

XBRL assurance is the auditors opinion on whether a financial statement or other business report published in XBRL, is relevant, accurate, complete, and fairly presented. An XBRL report is an electronic file and called instance in XBRL terminology.

How to articulate, validate and execute a specification of an XBRL assurance process?

12

In XBRL Assurance we are particularly interested in articulating a methodology-based audit approach, or audit process, that guides how to achieve assurance

Isnt it too low?

Isnt it too high?

For example: Charles Smart XBRL Application

Inventory(Inflow:Purchase) + Inventory(Begin) Inventory(End) Inventory(Outflow:Resale,Suppliers) in products or money (gross profit)

1st interpretation: Bold font = Completeness Regular font = Correctness

2nd interpretation: Bold font = Correctness Regular font = Completeness

Example audit equation

13

declare function my:withinTolerance( $x as xdt:anyAtomicType,
$y as xdt:anyAtomicType ) as xdt:boolean* { fn:abs( $x - $y) lt 500 }

tax:withinTolerance ($Assets,($CurrentAssets + $FixedAssets))

sec:withinTolerance ($Equity,$EquityPrev + $Earnings)

withinTolerance ($Assets,$Liabilities + $Equity)

if () then else if () then else

Source: Charles Hoffman, 2009, http://xbrl.squarespace.com/journal/2009/1/11/things-generally-missed-about-business-rules-validation.html

Source: XBRL Formula Requirements by Hamscher, Shuetrim and Vun Kannon, 2005,
http://www.xbrl.org/technical/requirements/Formula-Req-CR-2005-06-21.htm

In articulating an XBRL assurance process,
a central role is considered for Business Rules using XBRL Formula

For example, fragments from corresponding XBRL Formula

Assets = Liabilities + Equity (i.e. the balance sheet balances)

The invoice total equals to the sum of the invoice line item amounts

If you report Property, Plant and Equipment on your balance sheet, you
need to provide specific policies and disclosures relating to that line item

For example, Business Rules

14

Having a computer-interpretable articulation of business rules offers main advantages:1. automatic validation, and2. automatic execution, like workflow software apps for
document transformations (BPEL, XPDL, YAWL, Wf-XML)

And, as a consequence of having one standard language to specify assurance business rules, users have extra advantages:

A global standard way to express business rules

A global standard way of exchanging such rules between applications

Business rules are separate from, instead of integrated in, applications

XBRL engines support a large user base, reducing cost per user

You can apply your own XBRL rules on incoming XBRL information

Source: Charles Hoffman, 2009, http://xbrl.squarespace.com/journal/2009/1/11/things-generally-missed-about-business-rules-validation.html [with point #2 extended]

Advantages

15

avoids handcrafting XBRL Formula expressions

Being focused on capturing audit methodology
in Business Rules expressed in XBRL Formula,
lets now look into an approach that:

2. by using a tailored website builder

and generates these expressions behind the screens for
validation and executable code-generation purposes

applicable to XBRL reports as Cascading Style Sheets

inside scripting (inside the audit team):

data analysis tasks, with form-driven configuration and
methodologically embedded in an audit planning context:
When to do which task? and What to do with results?

client-side scripting and

server-side scripting (e.g. JSP Standard Tag Library),

technically embedding executable scripts, via 3-way scripting:

automatically generating XML, XBRL and XBRL Formulas

publish/upload these smart forms as dynamic web pages

by specifying smart, interactive document/form templates

to articulate guidance on how to achieve XBRL assurance:

What keeps Audit Leaders up at night?, ACL, 2008

16

Why is it worthwhile to look into such a
builder approach? To gain extra advantages

Since a dedicated builder for XBRL Assurance is easy to use, it enables autonomous use by auditors, to prepare methodological guidance for auditors, without content intermediaries: quality & speed

An executable specification of an audit methodology supports driving integral planning, execution and documentation of each audit instance

Choosing document templates as embedders of the audit methodology enables levels of documentation, both prescribing (setting standards) & describing (client instance)

If its Not Documented,
its Not Audited

Evidence Acquisition Strategy thats Executable

Agenda





17



18

Charles Smart XBRL Application: Built in Yahoo! SiteBuilderPlayed in an arbitrary browser

Player

Builder

p.334

19

p.337

Builder

Player

Audit methodology
specification drives integral
planning, execution and documentation

Illustrative case:
Classification of the Clients Use of Computers

Proven Architecture for Interactive Audit Documentation and Guidance

Conditional relevancy:
An outgoing arrow labeled with choice specifies an activation dependency to a question, section, table, form, task, etc.

Effective: dont miss relevant issue

Efficient: less relevant issue is not accessible

Mitigation of litigation risk

Correctness by Construction

Deloittes Smart Audit Support: Interactive Audit Documentation published in Word and browsers
Worlds strongest audit support

Smart Audit SupportsDocument Index related toDeloittes International Audit Approach(1990s)

p.336

20

p.62

All planning docs
are smart forms

All planning docs
are smart forms

All planning docs
are smart forms

All planning docs
are smart forms

All planning docs
are smart forms

All planning docs
are smart forms

Audit pack is a bundle of forms

Deloittes Audit Methodology

Why builder-based approach?
extra benefits to gain for XBRL Assurance

21

The main challenge in specifying an executable assurance methodology:
preserve operational integrity and consistency

Thats where science steps in: mathematical proofs that show how each rewriting step in the executable methodology specification preserves integrity and consistency

E.g. the processing structure of all connected questions, tables, etc. is guarded to be a Directed Acyclic Graph

a specification huge in size, complex in structure, globally distributed, regionally refined, daily used by many, in groupware, and, as wanted and encouraged, regularly updated

Assurance expert makes own application & uploads it (business model)

Jumpstart: only a few hours learning curve on how to use builder tool

Comfortable: builder prevents classes of technical errors, no debugging

No need for cumbersome knowledge elicitation from expert to engineer

No need to transfer knowledge engineer specs to XBRL Formula expert

No need for the expert to verify the app made by XBRL Formula expert

Since a dedicated tool to build assurance guidance is easy to understand and use, assurance experts are enabled to autonomously construct executable guidance material, leading to extra benefits:

Correctness by Construction in Domain-Specific Language (DSL)

Agenda





22



23

Case I: Charles Smart XBRL App: extended for assurance

Lower of Cost or Market (LCM) is an approach to valuing and reporting inventory. Normally ending inventory is stated at historical cost (what was paid to obtain it) but there are times when the original cost of the ending inventory is greater than the cost of replacement thus the inventory has lost value. If the inventory has decreased in value below historical cost then its carrying value is reduced and reported on the balance sheet. The criterion for reporting this is the lesser of the value of the original cost or the market value. Any loss resulting from the decline in the value of inventory is charged to Cost of Goods Sold (COGS) if non-material, or Loss on the reduction of inventory to LCM if material. http://en.wikipedia.org/wiki/Lower_of_Cost_or_Market

Builder

Player

Functionality looked for by DecisionSoft, 2003

Available in Deloittes Smart Audit Support

Standard lib

24

Case I: Charles Smart XBRL App: getting Formula in Form

Builder

Player

Inventory(Inflow:Purchase) + Inventory(Begin) Inventory(End) Inventory(Outflow:Resale,Suppliers) in products or money (gross profit)

Example audit equation

Excel library with XBRL functions

The Formula in Form is automatically generated by an off-the-shelf spreadsheet add-on

Sector packs of prefab sheets

25

Case II: Raj Srivastavas Information Security Assessment

Based on:

Sun,
Srivastava
and Mock,
2006

An Informa-tion Systems
Security Risk
Assessment Model under Dempster-Shafer Theory,
pp.43-48

Player

Fully Automatic

Semi

Manual

Automatic

dual-thumb sliders with range highlights

26

Case II: Rajs Information Security Assessment

Builder

This can almost be expressed, in a slightly different way, in Deloittes Smart Audit Support

M: Majority Owner-Manager
S: Sales departmentB: Buy/Purchase department
F: Financial departmentT: IT departmentW: Warehouse manager
L: Labor/salary accounts
P: Planning department
C: Creditor accounts
D: Debtor accountsA: Application

Agent Legend

C b f t

F m d

D s t

A t

L f t

P t

P t

W t

A t

A t

S

A

A

L F

L F

L F

M

M

D F

D

C

B F

B F

W

P

P

P

P

W

A

A

A

A

C m

D f t

S t

A t

F t

B f t

B f t

P t

W t

L f

225

25

200

225

500

25

25

1,000

400

400

100

20

20

20

20

500

400

Agents access is associated to:1. Transactions2. States3. Flows

A capital letter is authorized, legitimate accessA small letter is illegitimate access, arising mainly as consequence of being authorized

Quantitatively motivated process decomposition

27

Case III: EYs & Hans Smart Flowchart Pilot Study

Output in XML, XBRL and scripts:
1. Audit equations

2. Segregation of
Duties analysis

Case by Hans Verkruijsse & EY team

Enterprise-level Process Documentation incorporating Automatic Audit Analytics

Approach: Powerful and easy system to support practice, founded in theory

The worlds strongest process-oriented Auditing Theory: classical Dutch Auditing Theory (80+ yrs)

& its best-fitting rigorous Process Theory:
Petri nets tailored to the Auditing Domain

Dynamic: Transaction
Profit & Loss Item

T

Static: State Balance Item

S

Systematic framework guides input preparation process

Input: diagram

Top-level is Supercycle. Overview connecting traditional cycles. Clarifying. Refreshing.

Case used in Efrim Boritz CAATs class

Fit recognized by Jagdish Gangolly

28

Case IV: Conceptual Positioning &
Computational Infrastructure

Executable External Controls, or audit tests, to test Ist ICs to Soll ICs;
external auditor, to identify and, if possible, mitigate weaknesses in
clients Internal Controls (ICs)

Normative Internal Controls in Soll, To Be modality; external auditor

Executable Internal Controls in Ist, As Is modality; internal auditor

XBRL Assurance Business Rules as:

Methodological context for data analysis tasks, answering: When to do
which test ? and What to do with the test results ? (ACL AuditExchange)

Standard setters develop high-level guidance packs, and strict forms
la tax, as basis to be refined, but not overruled, by other pack builders

External auditors develop sector or client packs for internal auditors,
strengthening client relationship (source trade, vendor lock-in & open)

Uploading by fee-earning experts. Downloading and applying by fee-
paying engagement teams. With a broker fee for the platform provider

By auditors, for auditors - no content mediators, only platform provider

Audit Pack Platform, Business Model:

Source: Rick Bookstab(b)er at http://rick.bookstaber.com/2009/02/markup-languages-and-mapping-market.html, speaker at the XBRL Risk Governance Forum, hosted by the
IBM Data Governance Council, February 2009 [emphasis added]:
Within the work of this Forum are the seeds of reducing the risk of future market crisis. Indeed, it could be the foundation for a quantum leap in risk management.

29

Case V: Rick Bookstabers proposal to set up an early
warning system to identify build-up of systemic risk + mitigation

Having the proper tags the proper bar code, if you will for financial products, ranging from bonds and equities to structured products and swaps will allow us to understand the potential for crisis events and system risk. It will help us anticipate the course of a systemic shock. It will identify cases where many investors might be acting prudently, but where their aggregate positions lead to a level of risk which they on their own cannot see. It also will give us the means to evaluate crises after the fact.

Why not have the external auditors do the first data aggregation ? They already visit all the major companies, know about auditing risks and know how to aggregate data to relevant, accurate, complete and fairly presented information on the business level. They only have to bundle and aggregate this individual business information to sector information. Furthermore, they are also familiar with all confidentiality issues involved. The audit firms submit their audited sector information to a central governmental agency, who is responsible for the new anticipation tasks.

Comment posted by Philip Elsas on Ricks blog

Agenda





30



Killer App (Wikipedia): any computer program that is so necessary or desirable that it proves the core value of some larger technology, such as computer hardware like a gaming console, operating system or other software.
A killer app can substantially increase sales of the platform that it runs on.

First release: matter of weeks or months, not years

The audit firms, as first aggregators of systemic risk indicators, connect micro to macro in XBRL (i.e. who is leveraged, what do they own and what do they owe to whom?), and submit their audited sector indicators to a government agency responsible for the new anticipation and mitigation tasks

How far away?

31

Priority for Urgency:

Early Warning System as Killer App for XBRL Assurance,
speeding up getting XBRLs Place & Future into Here & Now

For computational functionality: stop expecting more from XML,
start expecting more from the builder-based approach

An off-the-shelf system for bar-code tracking and tracing and configured for XBRL tag-coded financial products

Proposed Solution

Risks to be identified: crowding in markets, hot spots of high leverage, linkages in event of crisis based on investor positions

Jumpstart by co-operation of top-specialists Rick Bookstaber, Raj Srivastava
and Charles Hoffman, and preferably in co-operation with a Big 4 audit firm

Small step for XBRL,
quantum leap for financial world

XBRL Assurance is closer than ever

Limperg described the essence of the Theory of Inspired Confidence as follows: The normative core of the Theory of Inspired Confidence is therefore this:
the [auditor] is obliged to carry out his work in such a way that he does not
betray the expectations which he evokes in the sensible layman and;
conversely, the [auditor] may not arouse greater expectations than can be
justified by the work done. [1932, 1933]

This takes the principles-based approach to its logical extreme. At this extreme, there are no definite rules for what procedures an auditor must perform in a particular case, but the general principle that guides the auditor is to perform enough work to meet the expectations the auditor has aroused in society. Thus, the most important factor is societys needs, and the related factor that interacts with it is the ability of auditing methods to meet societys needs. However, societys needs are not fixed and change over time. Also, auditing methods can change and improve over time.

32

Why the audit profession welcomes increase of their
usefulness by being pivotal in systemic early warning

The dynamic theory [of inspired confidence] that connects societys need for reliable financial information to the ability of auditing methods to meet this need is the essence of the process that the PCAOB must follow.
The PCAOBs process must be directed by what is necessary to protect investors and further the public interest.

Source of quotes: Douglas R. Carmichael, first PCAOB Chief Auditor, 2004, http://aaahq.org/audit/midyear/04midyear/papers/Carmichael%20Speech.doc

The PCAOB and the Social Responsibility of the Independent Auditor

Limperg Institute Symposium, the Netherlands, June 10, 2009, organized by Hans Blokdijk & Ruud Veenstra, with contribution of ComputationalAuditing.com

[emphasis added]

xbrl kansas elsas

Economy & Finance